This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.
Continue
Learn More

Some cookies on this site are essential, and the site won't work as expected without them. These cookies are set when you submit a form, login or interact with the site by doing something that goes beyond clicking on simple links.

We also use some non-essential cookies to anonymously track visitors or enhance your experience of the site.

To control third party cookies, you can also adjust your browser settings.

New virus for jailbroken iPhones the most serious so far

November 23, 2009
Sophos Press Release

IT security and data protection firm Sophos is warning that a
new virus attacking the users of jailbroken iPhones is the most
serious to date, since it makes infected iPhones into zombies,
joining them to a botnet.

Two weeks ago the first ever iPhone virus appeared, changing
infected victim's wallpaper to an image of 1980s pop star Rick
Astley. However, aside from gobbling up bandwidth and Rickrolling
iPhones it had no additional criminal intentions.

Sophos reports that over the weekend, a new iPhone worm
(informally called "Duh" or "Ikee.B" by security researchers) was
reported spreading in the wild in The Netherlands, designed to
upload banking information to a server in Lithuania and to follow
orders from remote hackers. The "Duh" worm hunts for vulnerable
iPhones on a wider range of IP ranges than Ikee, which was only
ever reported in Australia. "Duh" includes IP ranges in several
countries, including The Netherlands, Portugal, Australia, Austria,
and Hungary.

"This latest iPhone malware is doubly criminal. Not only does it
break into your iPhone without permission, but it also cedes
control of your phone to a botnet command server in Lithuania,"
said Graham
Cluley, senior technology consultant at Sophos "That means your
iPhone has just been turned into a zombie, ready to download and to
perform any commands the cybercriminals might want in the future.
If infected, you have to consider all of the data that passes
through your iPhone compromised."

In addition, Sophos reports that "Duh" changes the password on
your iPhone - meaning that cybercriminals know what it is but
infected users don't, allowing criminals to log back into your
iPhone later. However, Sophos expert Paul Ducklin
managed to recover the password - revealing that infected users
can login as root with the password 'ohshit'.

"Apple's default root password - 'alpine' - on the iPhone breaks
two fundamental rules - it's both a dictionary word and well-known.
This doesn't matter for most iPhone users, as they haven't
jailbroken their iPhones and installed SSH to allow remote access -
but the new worm will break in and immediately change it. This
change is made by directly editing the encrypted value of the
password in the master password file, so that the new password is
never revealed," explained Paul
Ducklin, head of technology in Sophos Asia Pacific. "This
password-changing represents an additional risk, as it means that
cybercriminals now know what your password is - allowing them to
log back into your iPhone later - but you don't, so you cannot
login and eliminate the virus."

Sophos strongly recommends that all users of jailbroken phones,
change their passwords from 'alpine' immediately to avoid further
attacks.

About Sophos

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.